Sunday, April 30, 2006

NetWatchman

Here's a cool thing if they are legit. My big beef about network admins, managed firewalls, and network security is that it is impossible to track, monitor and report problems in a way that actually makes a difference. (See my managed shmanaged firewall post).

These guys are actually giving it a go. Good for them!
MyNetWatchman.com

It looks pretty cool (if it works) because they monitor the traffic and after so many attemps they automatically notify the offending network, and if someone at the offending network actually looks into the problem some of these holes on the Internet can be plugged up.

Better yet would be if the offending networks actually report the criminal if they can find him/her to the FBI.

Of course someone still needs to verify that they are actually sending the complete log and not actually hacking and altering logs as the information is reported just as in my post about McAfee firewall possibly having problems.

The concept, however, is very cool and hopefully will help notify networks with servers that need to be patched up quickly if a lot of people start using it, or something like it.

International IP Database

I've been looking for this for quite some time and telling investors that we need it. Finally I found it...

International IP Database

Now you might think, hey, I can already get this information from DNSSTuff.com or any of the Internet databases out there. Why do I need this?

Here's why: Because organizations like RIPE span multiple countries and the IPs are not kept together in blocks for each country. You could have an Australian net range of DNS records butted up against the infamous Chinese hacker net ranges.

Well, it's pretty well established that there are loads of hackers coming out of Taiwan, Korea, China, Russia and a few in Japan. So let's say you have no reason to do business with Asia and you want to just block out that whole set of IPs to prevent any unwanted attacks from those countries but still allow you to do business with other coutries whose DNS is supported by the RIPE DNS database. How are you going to do that? Impossible!

Until now. If this Maxmind.com database really works - I say if because I have not verified that it is accurate, or that they are a legitimate, non-hacker organization and that their information has not been hacked - then you should be able to use their database to update your firewall and simply block out these problem countries laden with hackers.

As noted in other reports China is actually leveraging hackers in their country as an espiange and internet warfare force. It may be best to just completely block them out if you don't have a need to do business with them, or have separate servers for Asia and other parts of the world. This is an extreme suggestion, but this is the world we live in and hackers abound in certain countries.

True hackers could re-route through other countries but it would make it one step harder for them and hopefully these other countries would be more hacker UNfriendly.

Saturday, April 29, 2006

The Real Estate Hackers

Real Estate on the net is hot. I know this because I do SEO, advertising and marketing for Real Estate web sites among other things. There are a bunch of hackers targeted on Real Estate. One of them from China was generating a bunch of spam on a lead generating site we had set up for a customer. I recently had a customer that I am not convinced was not part of this real estate crime ring. Yes, hacking and spamming is a CRIME in case you real estate people who are doing this like to think otherwise - that maybe it is just tough business. It is not. I hope you like to wear stripes, or orange jumpsuits as it may be these days.

208.8.186.35

Location: United States [City: Honolulu, Hawaii]

Sprint SPRINTLINK-BLKS (NET-208-0-0-0-1)
208.0.0.0 - 208.35.255.255
Honolulu Board of Realtors SPRINTLINK (NET-208-8-186-0-1)
208.8.186.0 - 208.8.186.255

Location: Unknown

OrgName: Honolulu Board of Realtors
OrgID: HBR-1
Address: 1136 12th Avenue
City: Honolulu
StateProv: HI
PostalCode: 96816
Country: US


Name: Elam, Thomas
Handle: TEL1258-ARIN
Company: Honolulu Board of Realtors
Address: 1136 12th Avenue Ste 200
City: Honolulu
StateProv: HI
PostalCode: 96816
Country: US


____________


69.233.224.3

SBC Internet Services SBCIS-SIS80 (NET-69-224-0-0-1)
69.224.0.0 - 69.239.255.255
Heritage Plaza Mortgage SBC06923322400025041116172757 (NET-69-233-224-0-1)
69.233.224.0 - 69.233.224.127

CustName: Heritage Plaza Mortgage
Address: Private Address
City: San Francisco
StateProv: CA
PostalCode: 94107
Country: US
RegDate: 2004-11-16
Updated: 2004-11-16

NetRange: 69.233.224.0 - 69.233.224.127
CIDR: 69.233.224.0/25
NetName: SBC06923322400025041116172757
NetHandle: NET-69-233-224-0-1
Parent: NET-69-224-0-0-1

OrgName: Office of the Future
OrgID: OFFICE
Address: 115 River Rd
City: Edgewater
StateProv: NJ
PostalCode: 02020
Country: US
Comment:
RegDate: 1992-09-10
Updated: 1992-09-10


69.233.224.3
____________

CustName: Heritage Plaza Mortgage
Address: Private Address
City: San Francisco
StateProv: CA
PostalCode: 94107
Country: US
RegDate: 2004-11-16
Updated: 2004-11-16


Name: IPAdmin-PBI
Handle: PIA2-ORG-ARIN
Company: Pacific Bell Internet
Address: 268 Bush St. #5000
City: San Francisco
StateProv: CA
PostalCode: 94104
Country: US

OrgName: Office of the Future
OrgID: OFFICE
Address: 115 River Rd
City: Edgewater
StateProv: NJ
PostalCode: 02020
Country: US

Thursday, April 27, 2006

More Hackers

222.239.220.119/7212
218.169.56.56/25
69.20.5.234/1434
88.38.49.26/137
67.15.35.88/80
72.30.98.160/80
72.0.167.169/135
207.118.218.248/25
72.25.91.180/139
211.229.208.202/7212
213.148.236.194 / 137
220.144.197.62 / 445
219.137.124.187 135
61.185.94.21 / 1434
58.253.248.2 / 1434

219.137.124.187/135
204.16.208.74/1027

200.255.218.1/445
59.37.70.21**ssh
83.156.81.66/445
139.18.13.202/80

61.134.60.18 / 1434
inetnum: 61.134.0.0 - 61.134.63.255
netname: CHINANET-SN

72.2.75.137 / 1433
CustName: Suite 224 Internet
Address: P.O. Box 579
Address: 224 State St.
City: Conneaut
StateProv: OH
PostalCode: 44030
Country: US
RegDate: 2005-01-19
Updated: 2005-01-19

NetRange: 72.2.72.0 - 72.2.79.255


218.72.250.229 / 25

inetnum: 218.72.248.0 - 218.72.255.255
netname: CHINANET-ZJ-QZ
country: CN

59.93.194.201 / 137
inetnum: 59.88.0.0 - 59.99.255.255
netname: BSNLNET
descr: NIB (National Internet Backbone)
descr: Bharat Sanchar Nigam Limited
descr: Sanchar Bhawan,20, Ashoka Road, New Delhi-110001

83.60.209.115 / 137

inetnum: 83.57.0.0 - 83.61.24.255
netname: RIMA
descr: TELEFONICA DE ESPANA
descr: Provider Local Registry
country: ES

201.8.133.231 / 137
inetnum: 201.8/16
aut-num: AS7738
abuse-c: CGR13
owner: Telemar Norte Leste S.A.
ownerid: 002.558.134/0001-58
responsible: Marlemar Telgon
address: Rua Humberto de Campos, 425, 7? andar
address: 22430-190 - Rio de Janeiro - RJ
phone: (021) 31311343 []
owner-c: MAT838
tech-c: CGR13
inetrev: 201.8.0/24

82.155.1.112 / 137
inetnum: 82.155.0.0 - 82.155.127.255
netname: TELEPAC-DSL
descr: Telepac - Comunicacoes Interactivas, SA
descr: DSL Service Networks
country: PT


218.71.250.229 / 25
72.2.75.137 / 1433
222.183.72.214 / 1434
66.234.2.61 /320000
67.15.35.2 / 80

Wednesday, April 26, 2006

DNS Spoofing

Here's what you need to know about DNS Spoofing:

http://www.menandmice.com/9000/9211_dns_spoofing.html

And steps to take to secure your DNS Server:
http://www.linuxsecurity.com/resource_files/server_security/securing_an_internet_name_server.pdf

A related article on DNS hacking

http://news.com.com/DNS+servers+do+hackers+dirty+work/2100-7349_3-6053468.html

Why The US Doesn't Release Control Of DNS Databases

There are a bunch of open source programmers and idealists out there that complain that the US Government is bad because they don't want to release control of the Internet domain name databases. The attitude is that the US is terrible because we don't cooperate with the world...

OK I don't like a closed nation kind of thought process and have many friends in other countries that I communicate with regularly and clients in other countries, but there are some serious security issues related to that DNS database. Basically that database identifies the true (in theory) identities and locations of computer users around the world. It's not that the US is saying "we created it and we're keeping it!" It is a matter of national defense.

For instance let's say we give up these databases to countries that are obviously harboring hackers and spammers or don't particularly like the United States.

Let's say we just hand over control of these databases to these other countries. Now what happens...the logical progression is that the countries that are harboring spammers and hackers change the records. They can point people to alternate IP addresses for domain names that are not legitimate and send back false information for a particular IP range.

The Internet Protocol (IP) was developed by the US Military as a fault tolerant means of sending traffic over the Internet. The reality is that the next form of warfare is information technology.

Having our enemies control our mechanism for communication, if we continue to use the Internet as a source of routing messages when we don't control the routing, is game over.

AOL - Hacker Heaven

Don't you just love AOL? They have some really cool features like multiple email addresses and included firewall and spam blocking, parental controls and a nice content layout. It's easy to use and they have phone numbers all of the world so you can access the system from just about anywhere when you travel...

Yeah it's great for hackers too! The thing about accessing it from anywhere is helpful if you're a spammer or hacker too. The IP address in the logs is the same for all.

AOL provides anonymity for hackers due to the fact that everyone is connecting to the same servers and accessing the Internet and sending messages in a way that is difficult to track back to the actual users. Additionally it is virtually impossible to block because if network admins try to block out the offending IP, they are basically blocking out a whole lot of valid (valuable) traffic from AOL users.

And have you ever tried to figure out how to report an attacker to AOL? Take a look at their web site and just try to figure it out. Impossible...

I have found this article which suggests an address but since it is not official AOL information and Wikipedia lets anyone update the content, who knows if it is accurate or has been hacked? For all we know using this information we could be feeding AOL hackers information that we are onto them and that helps them stay one step ahead:

http://en.wikipedia.org/wiki/Wikipedia:Dealing_with_AOL_vandals

The email listed in here currently to report hackers to AOL is: TOSgeneral@aol.com

If you go to spamcop.net you'll get this abuse email address to report spammers to AOL: abuse@aol.com

Who knows if these emails are valid and your message actually gets to AOL. I have made reports to them with no response, and hackers continue to hit my systems from the same IPS, and the information in McAfee still shows these odd hacker DNS records (more info in my first post on these):

AOL.COM.IS.N0T.AS.1337.AS.GULLI.COM
AOL.COM.IS.0WNED.BY.SUB7.NET
AOL.COM.AINT.GOT.AS.MUCH.FREE.PORN.AS.SECZ.COM
AOL.COM

Interestingly an IP attempting to access my box right has high level domain information which does not match the typical information I see for AOL.

The IP is: 64.12.116.197

The information listed for AOL is:
Address: 10600 Infantry Ridge Road
City: Manassas
StateProv: VA
Email: domains@aol.net

If you look up aol.com IP which on my system resolves to: 207.200.94.2

You get:
OrgName: Netscape Communications Corp.
OrgID: NSCP
Address: 501 E. Middlefield
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US

But also has this info in McAfee:
AOL.COM.IS.N0T.AS.1337.AS.GULLI.COM
AOL.COM.IS.0WNED.BY.SUB7.NET
AOL.COM.AINT.GOT.AS.MUCH.FREE.PORN.AS.SECZ.COM
AOL.COM

IP Range: 207.200.64.0 - 207.200.127.255
Maybe they have two different offices registering IPs, who knows.

Interestingly when I look up AOL in another IP tracert tool I get:
Administrative Contact:
America Online, Inc.

22000 AOL Way
Dulles, VA 20166
US
Tel. 703 265 4670
Email: *******@aol.net

Technical Contact:
America Online, Inc.

22000 AOL Way
Dulles, VA 20166
US
Tel. 703 265 4670
Email: *******@aol.net

Domain servers:
dns-01.ns.aol.com
64.12.51.132
dns-02.ns.aol.com
205.188.157.232
dns-06.ns.aol.com
149.174.211.8
dns-07.ns.aol.com
64.236.1.107